Security

Last updated: December 2025

At QR Code API, security is a core part of our infrastructure and development practices. This page outlines the security measures we implement to protect your data.

Data Encryption

Authentication & Access Control

• API keys are generated using cryptographically secure random bytes
• Passwords are hashed using PBKDF2 with SHA-512 and unique salts
• Session tokens expire after 7 days of inactivity
• API key rotation is available through the dashboard

Infrastructure Security

• Hosted on Vercel's secure, SOC 2 Type II certified infrastructure
• Database hosted on Supabase with automated security patches
• DDoS protection and Web Application Firewall (WAF) enabled
• Regular security updates and dependency audits

Rate Limiting & Abuse Prevention

• Per-user rate limits prevent API abuse
• Automatic blocking of suspicious activity patterns
• IP-based rate limiting for unauthenticated requests

Audit Logging

We maintain comprehensive audit logs of:

• Authentication events (logins, logouts, API key usage)
• Account changes (password updates, plan changes)
• Administrative actions

Audit logs are retained for 90 days and are available to Enterprise customers.

Privacy by Design

• IP addresses are hashed for analytics (we don't store raw IPs)
• Minimal data collection - we only store what's necessary
• No third-party analytics or tracking on the API
• GDPR-compliant data handling practices

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to security@qrcodeapi.io. We appreciate your help in keeping our platform secure and will acknowledge your contribution.

Compliance

Our infrastructure providers maintain the following certifications:

• SOC 2 Type II (Vercel, Supabase)
• ISO 27001
• GDPR compliance

Contact

For security questions or concerns, contact our security team at security@qrcodeapi.io.